After Detection of an Incident
Download
Report
Transcript After Detection of an Incident
Incidence Response & Computer
Forensics, Second Edition
Chris Prosise
Kevin Mandia
Outline
After Detection of an Incident
Overview of the initial response phase
Establishing an incident notification procedure
Recording the details after initial detection
Incident declaration
Assembling the CSIRT
Performing traditional investigative steps
Conducting interviews
Formulating a response strategy
Incident Response methodology
Incident Occurs: Point-In-Time or Ongoing
Investigate the Incident
Pre-Incident
Preparation
Detection
of
Incidents
Initial
Response
Formulate
Response
Strategy
Data
Collection
Resolution
Recovery
Implement Security Measures
Data
Analysis
Reporting
Overview of the initial
response phase
Incident Occurs: Point-In-Time or Ongoing
Incident
Detection
Initial
Notification
of Incident
Record
Details
Incident
Declaration
Assembling
The CSIRT
Escalation
Notification
of Team
Members
Selecting
Team
Members
Recording the details after
initial detection
Initial Response Checklist
First Section of the initial Response
Checklist
Second Section of the Initial Response
Checklist
System details
Incident containment
Preliminary investigation
Case Notes
First Section of the initial Response Checklist
Date the incident was detected or initiated
Contact information of person completing the form
Contact information of the person who detected the incident
The type of incident
The location(s) of the computers affected by the incident
The date the incident was first noticed
A description of the physical security at the location(s)
How the incident was detected
Who accessed or touched the relevant system(s) since the onset
of the incident
Who has had physical access to the affected system(s) since the
onset of the incident
Who current knows about the incident
Second Section of the Initial Response Checklist
System details
Make and model of the relevant system(s)
Operating system
Primary user of the system(s)
System administrator for the system(s)
Network address or IP address of the relevant system(s)
Network name of the system(s)
Whether there is a modem connection to the system(s)
Critical information that may have resided on the system(s)
Incident containment
Whether the incident is in progress or ongoing
Whether network monitor is needed or being conducted
The system is still connected to the Internet/network
Second Section of the Initial Response Checklist
Whether the backup tapes exist for the relevant systems
Whether there is a requirement to keep knowledge of the
incident on a “need-to-know” basis.
Whether any remedial steps have been taken so far
Whether the information collected is being stored in a
protected, tamper-proof manner.
Preliminary investigation
The IP addresses involved in the incident
Whether any investigative steps or actions have already
been taken
Whether a forensic duplication need to be made, or a logical
copy of the relevant system(s) will suffical
Incident Declaration
Was there a scheduled system or network outage that caused
resources to be unavailable during the time the incident was
reported?
Was there an unscheduled and unreported outage of network
service provider that caused resources to be unavailable during
the time the suspected incident was reported?
Was the affected system recently upgraded, patched,
reconfigured, or otherwise modified in such a way as to cause
the suspicious activity that was reported?
Was testing being performed on the network that would lock
out accounts or cause resource to be unavailable?
For inside incidents, are there any justifications for the actions
an employee has taken that remove or lessen the suspicious?
NextTime
Assembling the CSIRT
Performing traditional investigative
steps
Conducting interviews
Formulating a response strategy